An Internet giant has made a colossal miscalculation. Earlier today Yahoo announced that its 2013 breach was found to be much larger during its 2016 merger with Verizon. The previously calculated 1 billion accounts Yahoo claimed to be affected in 2013 was updated to include all 3 billion accounts under the Yahoo umbrella. This news further rattles public confidence in Yahoo and is bad news for Verizon, its parent company.
Yahoo further claims that it is not required to individually notify each customer affected that was not notified in 2013, claiming that when the breach was discovered during the 2016 merger, the company “took action to protect all accounts.” This action included mandatory password changes and invalidating unencrypted security questions and answers so they could not be used to change access to the account. Apparently, when you lose all of your customers’ information, it doesn’t make sense to notify users individually; just wave the white flag.
Large organizations think of more than just the users that are breached when they decide what information to release to the press. They also must manage and minimize the reputational and legal damage the organization is about to suffer. Boardroom conversations include mathematical formulas on probabilities such as the threat of the public finding out that the breach is more wide-spread or the cost of potential lawsuits or government fines.
What you need to know as a potential victim is that the stolen information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords, and both encrypted and unencrypted security questions and passwords. The information that was stolen did not include passwords in clear text, payment card information, or bank account information.
SBS Cybersecurity suggests being mindful of phishing attacks that stem from this data, not only to Yahoo accounts but also to potential rescue/recovery email addresses from other email providers. Phishing phone call schemes are also a risk to customers who had their data breached. These schemes can seem quite legitimate due to the other data that was stolen along with names and phone numbers, but keep in mind that Yahoo will not be calling you. Additionally, legitimate companies will never threaten you over the phone or attempt to instill fear as a tactic to force your compliance.
As we discussed with Equifax, please operate under the assumption that your data has already been compromised. If you believe your data has been compromised (statistically speaking, it has been 2.5 times), we hope you will monitor your accounts and your credit more frequently and take additional steps to ensure attackers do not get access to your accounts. An ounce of prevention is worth well more than a pound of cure.
Written by: Buzz Hillstead
Senior Information Security Consultant - SBS CyberSecurity
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.